Upgrading a Samba domain controller and bind from Debian10 to Debian11¶
Use case : Debian10 (Buster) domain controller with Samba 4.14.10 and bind9.
Since last CVE, Samba administrators are advised to upgrade to 4.15.5 to correct the defect. Here’s the process.
Attention
If you encounter a problem when updating the repository and if you get the errors gpg: no valid OpenPGP data found or wget: unable to resolve host address "mydomain.lan", you will need to check your /etc/resolv.conf file and then add the following lines at the end of /root/.bashrc:
export http_proxy="http://proxy:3128";
export https_proxy="http://proxy:3128";
Backup your Samba domain (create backup folder)
mkdir /root/backup_samba mkdir /root/backup_samba/named
Stop the services
systemctl stop samba-ad-dc systemctl stop bind9
Rsync your Data
rsync -aPv /var/lib/samba /root/backup_samba/ rsync -aPv /etc/samba/smb.conf /root/backup_samba/ rsync -aPv /var/lib/samba/bind-dns/ /root/backup_samba/named/ rsync -aPv /etc/default/bind9 /root/backup_samba/named/ rsync -aPv /etc/bind/named.conf.local /root/backup_samba/named/ rsync -aPv /etc/bind/named.conf.options /root/backup_samba/named/
Update the TIS Samba repositories:
wget -qO- https://samba.tranquil.it/tissamba-pubkey.asc | tee /etc/apt/trusted.gpg.d/tissamba.asc sha256sum /etc/apt/trusted.gpg.d/tissamba.asc b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/apt/trusted.gpg.d/tissamba.asc echo "deb https://samba.tranquil.it/debian/samba-4.15/ bullseye main" > /etc/apt/sources.list.d/tissamba.list
Change your Debian source file
/etc/apt/sources.list:deb http://deb.debian.org/debian bullseye main deb-src http://deb.debian.org/debian bullseye main deb http://deb.debian.org/debian-security/ bullseye-security main deb-src http://deb.debian.org/debian-security/ bullseye-security main deb http://deb.debian.org/debian bullseye-updates main deb-src http://deb.debian.org/debian bullseye-updates main
Check
/etc/apt/sources.list.d/then select tissamba.list and change the version of Samba if necessary:deb https://samba.tranquil.it/debian/samba-4.19/ bullseye main
Update the host:
export DEBIAN_FRONTEND=noninteractive apt-get update -y apt-get dist-upgrade -y unset DEBIAN_FRONTEND
Restart the host:
reboot
After reboot get your bind9 version
[root@srvads1.mydomain.lan bind]# named -V BIND 9.16.22-Debian (Extended Support Version)
Modify the
/etc/bind/named.conf.localfile to match your bind9 versiondlz "mydomain.lan" { database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so"; };
After modification, you can restart the service
systemctl restart bind9
Tests and validation:
samba-tool --version samba-tool drs showrepl --summary samba-tool dbcheck --cross-ncs --fix --yes dig @localhost google.fr dig @localhost $(hostname -d) kinit klist